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Abstract. Guarded protocols were introduced in a seminal paper by 
Emerson and Kahlon (2000), and describe systems of processes whose 
transitions are enabled or disabled depending on the existence of other 
processes in certain local states. We study parameterized model check¬ 
ing and synthesis of guarded protocols, both aiming at formal correctness 
arguments for systems with any number of processes. Cutoff results re¬ 
duce reasoning about systems with an arbitrary number of processes to 
systems of a determined, fixed size. Our work stems from the observa¬ 
tion that existing cutoff results for guarded protocols i) are restricted to 
closed systems, and ii) are of limited use for liveness properties because 
reductions do not preserve fairness. We close these gaps and obtain new 
cutoff results for open systems with liveness properties under fairness 
assumptions. Furthermore, we obtain cutoffs for the detection of global 
and local deadlocks, which are of paramount importance in synthesis. 
Finally, we prove tightness or asymptotic tightness for the new cutoffs. 


1 Introduction 

Concurrent hardware and software systems are notoriously hard to get correct. 
Formal methods like model checking or synthesis can be used to guarantee cor¬ 
rectness, but the state explosion problem prevents us from using such meth¬ 
ods for systems with a large number of components. Furthermore, correctness 
properties are often expected to hold for an arbitrary number of components. 
Both problems can be solved by parameterized model checking and synthesis 
approaches, which give correctness guarantees for systems with any number of 
components without considering every possible system instance explicitly. 

While parameterized model checking (PMC) is undecidable in general [25], 
there exist a number of methods that decide the problem for specific classes of 
systems [12,14,1' ], as well as semi-decision procedures that are successful in 
many interesting cases [9,18,21], In this paper, we consider the cutoff method 
that can guarantee properties of systems of arbitrary size by considering only 
systems of up to a certain fixed size, thus providing a decision procedure for 
PMC if components are finite-state. 

We consider systems that are composed of an arbitrary number of processes, 
each an instance of a process template from a given, finite set. Process templates 
can be viewed as synchronization skeletons [11], i.e., program abstractions that 
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suppress information not necessary for synchronization. In our system model, 
processes communicate by guarded updates, where guards are statements about 
other processes that are interpreted either conjunctively (“every other process 
satisfies the guard”) or disjunctively (“there exists a process that satisfies the 
guard”). Conjunctive guards can model atomic sections or locks, disjunctive 
guards can model token-passing or to some extent pairwise rendezvous (cf. [13]). 

This class of systems has been studied by Emerson and Kahlon [12], and cut¬ 
offs that depend on the size of process templates are known for specifications of 
the form Vp. ^(p), where <£(p) is an LTL\X property over the local states of one 
or more processes p. Note that this does not allow us to specify fairness assump¬ 
tions, for two reasons: i) to specify fairness, additional atomic propositions for 
enabledness and scheduling of processes are needed, and ii) specifications with 
global fairness assumptions are of the form (Vp. fair(p )) —> (Vp. <£(p)). Because 
neither is supported by [12], the existing cutoffs are of limited use for reasoning 
about liveness properties. 

Emerson and Kahlon [12] mentioned this limitation and illustrated it using 
the process template on the figure on the right. Transitions from the initial state 
N to the “trying” state T and from the critical 



state C to N are always 


sition from T to C is only possible if no other pro- - 

cess is in C. The existing cutoff results can be used 

to prove safety properties like mutual exclusion for systems composed of ar¬ 
bitrarily many copies of this template. However, they cannot be used to prove 
starvation-freedom properties like Vp. A G (T p —> F C p ), stating that every process 
p that enters its local state T p will eventually enter state C p , because without 
fairness of scheduling the property does not hold. 

Also, Emerson and Kahlon [1 ] consider only closed systems. Therefore, in 
this example, processes always try to enter C. In contrast, in open systems the 
transition to T might be a reaction to a corresponding input from the environ¬ 
ment that makes entering C necessary. While it is possible to convert an open 
system to a closed system that is equivalent under LTL properties, this comes at 
the cost of a blow-up. 

Motivation. Our work is inspired by applications in parameterized synthe¬ 
sis [17], where the goal is to automatically construct process templates such that 
a given specification is satisfied in systems with an arbitrary number of compo¬ 
nents. In this setting, one generally considers open systems that interact with an 
uncontrollable environment, and most specifications contain liveness properties 
that cannot be guaranteed without fairness assumptions. Also, one is in general 
interested in synthesizing deadlock-free systems. Cutoffs are essential for param¬ 
eterized synthesis, and we will show in Sect. 4 how size-dependent cutoffs can 
be integrated into the parameterized synthesis approach. 

Contributions. 

— We show that existing cutoffs for model checking of LTL\X properties are 
in general not sufficient for systems with fairness assumptions , and provide 
new cutoffs for this case. 
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— We improve some of the existing cutoff results, and give separate cutoffs for 
the problem of deadlock detection , which is closely related to fairness. 

— We prove tightness or asymptotical tightness for all of our cutoffs, showing 
that smaller cutoffs cannot exist with respect to the parameters we consider. 

Moreover, all of our cutoffs directly support open systems, where each process 
may communicate with an adversarial environment. This makes the blow-up 
incurred by translation to an equivalent closed system unnecessary. The results 
presented here are based on a more detailed preliminary version of this paper [ ]. 

2 Related Work 

As mentioned, we extend the results of Emerson and Kahlon [12] who study 
PMC of guarded protocols, but do not support fairness assumptions, nor provide 
cutoffs for deadlock detection. In [13] they extended their work to systems with 
limited forms of guards and broadcasts, and also proved undecidability of PMC 
of conjunctive guarded protocols wrt. LTL (including X), and undecidability wrt. 
LTL\X for systems with both conjunctive and disjunctive guards. 

Bouajjani et al. [7] study parameterized model checking of resource allocation 
systems (RASs). Such systems have a bounded number of resources, each owned 
by at most one process at any time. Processes are pushdown automata, and can 
request resources with high or normal priority. RASs are similar to conjunctive 
guarded protocols in that certain transitions are disabled unless a processes has 
a certain resource. RASs without priorities and with processes being finite state 
automata can be converted to conjunctive guarded protocols (at the price of 
blow up), but not vice versa. The authors study parameterized model checking 
wrt. LTL\X properties on arbitrary or on strong-fair runs, and (local or global) 
deadlock detection. The proof structure resembles that of [ 12], as does ours. 

German and Sistla [16] considered global deadlocks and strong fairness prop¬ 
erties for systems with pairwise rendezvous communication in a clique. Emerson 
and Kahlon [13] have shown that disjunctive guard systems can be reduced to 
such pairwise rendezvous systems. However, German and Sistla [16] do not pro¬ 
vide cutoffs, nor do they consider local deadlocks, and their specifications can 
talk about one process only. Arninof et al. [3] have recently extended these re¬ 
sults to more general topologies, and have shown that for some decidable PMC 
problems there are no cutoffs, even in cliques. 

Emerson and Namjoshi provide cutoffs for systems that pass a valueless token 
in a ring [14], which is essentially resource allocation of a single resource with 
a specific allocation scheme. Their results have been extended to more general 
topologies [2,10]. All of these results consider fairness of token passing in the 
sense that every process receives the token infinitely often. 

Many of the decidability results above have recently been surveyed by Bloem 
et al [6]. In addition, there are many methods based on semi-algorithms. 

“Dynamic cutoff” approaches [1, 18] support larger classes of systems, and 
try to find cutoffs for a concrete system and specification. These methods can 
find smaller cutoffs than those that are statically determined for a whole class 
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of systems and specifications, but are currently limited to safety properties. The 
invisible invariants method [23] tries to find invariants in small systems, and 
applies a specialized cutoff result to prove correctness of all instances, including 
an extension to liveness properties [ 5]. 

Finally, there are methods that work completely without cutoffs, like regular 
model checking [8], network invariants [19,21,26], and counter abstraction [24]. 
They are in general incomplete, but may provide decision procedures for certain 
classes of systems and specifications, and support liveness to some extent. 

3 Preliminaries 

3.1 System Model 

We consider systems A\\B n , usually written (A, consisting of one copy 

of a process template A and n copies of a process template B, in an interleaving 
parallel composition.We distinguish objects that belong to different templates 
by indexing them with the template. E.g., for process template U £ {A, B}, Qu 
is the set of states of U. For this section, fix two disjoint finite sets Qa , Qb as 
sets of states of process templates A and B , and a positive integer n. 

Processes. A process template is a transition system U = (Q, init, £,5) with 

— Q is a finite set of states including the initial state init, 

— £ is a finite input alphabet, 

— 6 : Q x £ x V(Qa U Qb) x Q is a guarded transition relation. 

A process template is closed if £ = 0, and otherwise open. 

We define the size \U\ of a process template U £ {A, B} as \Qu\- A copy of 
template U will be called a U-process. Different B-processes are distinguished 
by subscript, i.e., for i £ [l..n], Bi is the ith copy of B , and is a state of B^. 
A state of the A-process is denoted by qa- 

For the rest of this subsection, fix templates A and B. We assume that 
£a H £b = 0- We will also write p for a process in {A, B \,..., B n }, unless p is 
specified explicitly. 

Disjunctive and Conjunctive Systems. In a system (A,B)( 1,n \ consider 
global state s = ( qA , , • • •, QB n ) and global input e = (a a, o'b 1 , ■ ■ •, <?B n ). We 
also write s(p) for q p , and e(p) for o p . A local transition (q p , <j p , g, q p ) £ Sjj of 
p is enabled for s and e if its guard g is satisfied for p in s, written (s,p) |= g. 
Disjunctive and conjunctive systems are distinguished by the interpretation of 
guards: 

In disjunctive systems: (s,p) \= g iff 3 p' £ {A, B \,..., B n } \ {p} : q p > £ g. 
In conjunctive systems: (s,p) \= g iff \/p' £ {A, Bi ,..., B n } \ {p} : q p i £ g. 

Note that we check containment in the guard (disjunctively or conjunctively) 
only for local states of processes different from p. A process is enabled for s and 
e if at least one of its transitions is enabled for s and e, otherwise it is disabled. 
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Like Emerson and Kahlon [12], we assume that in conjunctive systems init^ 
and in its are contained in all guards, i.e., they act as neutral states. Furthermore, 
we call a conjunctive system 1 -conjunctive if every guard is of the form (Qa U 
Qb) \ {<?} for some q G Qa 0 Qb- 

Then, (A,B)^ is defined as the transition system ( S , inits, E, A) with 

— set of global states S = ( Qa ) x ( Qb )", 

— global initial state inits = (init^, inits, •.., inits), 

— set of global inputs E = (Ha) x (Hs) n , 

— and global transition relation A C S x E x S with (s, e, s') G A iff 

i) s = (q A j Qb 1 j • • • > QB n )i 

ii) e = {<ja,<J B i , ■ ■ ■ ,ctb„), and 

iii) s' is obtained from s by replacing one local state q p with a new local 
state q' p , where p is a U -process with local transition (q p , <j p , g, q' p ) G Sjj 
and (s,p) |= g. 

We say that a system (A, B)( 1,n ' > is of type ( A , B). It is called a conjunctive system 
if guards are interpreted conjunctively, and a disjunctive system if guards are 
interpreted disjunctively. A system is closed if all of its templates are closed. 
We often denote the set {B \,..., B n } as B. 

Runs. A configuration of a system is a triple (s,e,p), where s G S, e G E, and 
p is either a system process, or the special symbol _L. A path of a system is a 
configuration sequence x = (si, ei,pi), (s 2 , 62 ,^ 2 ), ■ such that for all m < |x| 

there is a transition (s m ,e m ,s m+ i) G A based on a local transition of process 
p m . We say that process p rn moves at moment to. Configuration (s, e, _L) appears 
iff all processes are disabled for s and e. Also, for every p and m < |x|: either 
e rn +i(p) = e m (p) or process p moves at moment to. That is, the environment 
keeps input to each process unchanged until the process can read it . 1 

A system run is a maximal path starting in the initial state. Runs are either 
infinite, or they end in a configuration (s, e, _L). We say that a run is initializing 
if every process that moves infinitely often also visits its in it infinitely often. 

Given a system path x = (si, ei,pi), (S 2 , e 2 ,P 2 ), ■ ■ ■ and a process p, the local 
path of p in x is the projection x(p) = (si(p), ei(p)), (s 2 (p), e 2 (p )),... of x onto 
local states and inputs of p. Similarly define the projection on two processes 
Pi,P 2 denoted by x(p 1 ,p 2 ). 

Deadlocks and Fairness. A run is globally deadlocked if it is finite. An infinite 
run is locally deadlocked for process p if there exists m such that p is disabled 
for all with m! > to. A run is deadlocked if it is locally or globally 

deadlocked. A system has a (local/global) deadlock if it has a (locally/globally) 
deadlocked run. Note that absence of local deadlocks for all p implies absence of 
global deadlocks, but not the other way around. 

1 By only considering inputs that are actually processed, we approximate an action- 
based semantics. Paths that do not fulfill this requirement are not very interesting, 
since the environment can violate any interesting specification that involves input 
signals by manipulating them when the corresponding process is not allowed to move. 
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A run (si, ei,pi), (S 2 , e 2 ,P 2 ), ■ is unconditionally-fair if every process moves 
infinitely often. A run is strong-fair if it is infinite and for every process p , if p 
is enabled infinitely often, then p moves infinitely often. We will discuss the role 
of deadlocks and fairness in synthesis in Sect. 4. 

Remark 1. Why do we consider systems A\\B n l Emerson and Kahlon [12] showed 
how to generalize cutoffs for such systems to systems of the form A m \\B n , and 
further to systems with an arbitrary number of process templates t/™ 1 1|... \\Uff m . 
This generalization also works for our new results, except for the cutoffs for dead¬ 
lock detection that are restricted to 1-conjunctive systems (see Section 5). 


3.2 Specifications 


Fix templates (A, B). We consider formulas in LTL\X, i.e., LTL without the next¬ 
time operator X. Let h(A , B ^,..., B ik ) be an LTL\X formula over atomic propo¬ 
sitions from QaUBa and indexed propositions from (QbUBb) x {ii, ..., 4}- For 
a system (A, B jib") with n > k and ij £ [l..n], satisfaction of A h(A, B ^,..., Bi k ) 
and E A(A, B ik ,..., B . ik ) is defined in the usual way (see e.g. [5]). 

Parameterized Specifications. A parameterized specification is a temporal 
logic formula with indexed atomic propositions and quantification over indices. 
We consider formulas of the forms V4, • • ■, 4■ A h( A, B il ,..., B ik ) and 
Vii,... ,4- E h{A, B n ,..., B ik ). For given n > k 7 

(A, B) (1 * n) Hh A h(A, B n ,..., B ik ) 


iff 

(A,B)( 1>n) |= /\ A h(A,B h ,...,B jk ). 

jiA- Aifc£[i--A 

By symmetry of guarded protocols, this is equivalent (cp. [12]) to (A, i?)( 1,n ) \= 
A A(A, B \,..., Bk). The latter formula is denoted by A h(A, ZJbd), an( j we often 
use it instead of the original Vii,... ,4- AA(A, B ^,..., Bi k ). For formulas with 
path quantifier E, satisfaction is defined analogously, and equivalent to satisfac¬ 
tion of E h(A, B^). 


Specification of Fairness and Local Deadlocks, ft is often convenient to 
express fairness assumptions and local deadlocks as parameterized specifications. 
To this end, define auxiliary atomic propositions move p and en p for every process 
p of system (A, B)( 1,n \ At moment m of a given run (si, ei,pi), (s 2 , e 2 ,P 2 )> • • ■, 
let move p be true whenever p m = p , and let en p be true if p is enabled for s m , e m . 
Note that we only allow the use of these propositions to define fairness, but not 
in general specifications. Then, an infinite run is 


— local-deadlock-free if it satisfies \/p. GF en p , abbreviated as 'E^dead, 

— strong-fair if it satisfies \/p. GF en p — > GF move p , abbreviated as < P strong , and 

— unconditionally-fair if it satisfies Vp. GF move p , abbreviated as <? uncon d. 

If fair is a fairness notion and A h(A,B^) a specification, then we write 
Afair h(A, B^) for A(<k>f air h(A, B^)). Similarly, we write E/ air A(A, 
for E($ fair A/i(A, £(*>)). 
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3.3 Model Checking and Synthesis Problems 

For a given system (A, f?)( 1,ra ) and specification h(A,B^) with n > k, 

— the model checking problem is to decide whether (A, \= Ah(A , B^), 

— the deadlock detection problem is to decide whether (A, B) ( 1,ri ) does not have 
global nor local deadlocks, 

— the parameterized model checking problem (PMCP) is to decide whether 
Vm > n : (A, R)( 1 ’ m ) |= A h(A, B^), and 

— the parameterized deadlock detection problem is to decide whether for all 
m > n, ( A, Bp 1 ’™1 does not have global nor local deadlocks. 

For a given number n £ N and specification h(A, B^) with n> k, 

— the template synthesis problem is to find process templates A, B such that 
(A,B)( 1,n 1 |= Ah(A, 2 ?( fc )) an d (A, £?)( 1,ri ) does not have global deadlocks. 

— the bounded template synthesis problem for a pair of bounds (Ida, &b) £ NxN 
is to solve the template synthesis problem with |A| < 6^ and \B\ < bs- 

— the parameterized template synthesis problem is to find process templates 
A, B such that Vm > n : (A, R)( 1,m ) |= A h(A, B^) and (A, R)( 1,m ) does 
not have global deadlocks. 

These definitions can be flavored with different notions of fairness (and similarly 
for the E path quantifier). In the next section we clarify the problems studied. 

4 Reduction Method and Challenges 

We show how to use existing cutoff results of Emerson and Kahlon [12] to reduce 
the PMCP to a standard model checking problem, and parameterized synthesis 
to template synthesis. We note the limitations of the existing results that are 
crucial in the context of synthesis. 

Reduction by Cutoffs. A cutoff for a system type (A, B) and a specification 
<P is a number c £ N such that: 

Vn>c: ((A,R) (1 ’ n ) |= & (A, R) (1,c) (= . 

Similarly, c £ N is a cutoff for (local/global) deadlock detection if Vn > c : 

(A, has a (local/global) deadlock iff (A, R)d>°) has a (local/global) dead¬ 

lock. For the systems and specifications presented in this paper, cutoffs can be 
computed from the size of process template B and the number k of copies of B 
mentioned in the specification, and are given as expressions like \B\ + k + 1. 

Remark 2. Our definition of a cutoff is different from that of Emerson and 
Kahlon [12], and instead similar to, e.g., Emerson and Namjoshi [14]. The reason 
is that we want the following property to hold for any (A,B) and <&: 
if no is the smallest number such that Wi > no : (A, B)( 1,n ' ) \= 
then any c < no is not a cutoff, any c> no is a cutoff. 

We call no the tight cutoff. The definition in [12, page 2] requires that Vn < c.(A, R)( 1,n ) |= 
<P if and only if Vn > 1 : (A, f?)C’ n ) \= d>, and thus allows stating c < no as a 
cutoff if <P does not hold for all n. □ 
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In model checking, a cutoff allows us to check whether any “big” system sat¬ 
isfies the specification by checking it in the cutoff system. As noted by Jacobs 
and Bloem [17], a similar reduction applies to the parameterized synthesis prob¬ 
lem. For guarded protocols, we obtain the following semi-decision procedure for 
parameterized synthesis: 

0 . set initial bound ( 6 , 4 , 65 ) on size of process templates; 

1 . determine cutoff for ( 6 , 4 , 65 ) and <P; 

2 . solve bounded template synthesis problem for cutoff, size bound, and <P; 

3. if successful return (A,B) else increase ( 6 , 4 , 65 ) and goto (1). 

Existing Cutoff Results. Emerson and Kahlon [12] have shown: 

Theorem 1 (Disjunctive Cutoff Theorem). For closed disjunctive systems, 
\B \ +2 is a cutoff W for formulas of the form A h(A, B 1 ' 1 ')) and Eh(A, B^), and 
for global deadlock detection. 

Theorem 2 (Conjunctive Cutoff Theorem). For closed conjunctive sys¬ 
tems, 2 \B\ is a cutoff ^ for formulas of the form A h(A) and E h(A), and for 
global deadlock detection. For formulas of the form A h(B^) and E h(B^), 
2 \B\ + 1 is a cutoff. 

Remark 3. W Note that Emerson and Kahlon [12] proved these results for a 
different definition of a cutoff (see Remark 2). Their results also hold for our 
definition, except possibly for global deadlocks. For the latter case to hold with 
the new cutoff definition, one also needs to prove the direction “global deadlock 
in the cutoff system implies global deadlock in a large system” (later called 
Monotonicity Lemma). In Sect. 6.3 and 7.3 we prove these lemmas for the case 
of general deadlock (global or local). 

Challenge: Open Systems. For any open system S there exists a closed system 
S' such that S and S' cannot be distinguished by LTL specifications (cp. Manna 
and Pnueli [22]). Thus, one approach to PMC for open systems is to use a 
translation between open and closed systems, and then use the existing cutoff 
results for closed systems. 

While such an approach works in theory, it might not be feasible in practice: 
since cutoffs depend on the size of process templates, and the translation blows 
up the process template, it also blows up the cutoffs. Thus, cutoffs that directly 
support open systems are important. 

Challenge: Liveness and Deadlocks under Fairness. We are interested 
in cutoff results that support liveness properties. In general, we would like to 
consider only runs where all processes move infinitely often, i.e., use the un¬ 
conditional fairness assumption \/p. GFmove p . However, this would mean that 
we accept all systems that always go into a local deadlock, since then the as¬ 
sumption is violated. This is especially undesirable in synthesis, because the 
synthesizer usually tries to violate the assumptions in order to satisfy the speci¬ 
fication. To avoid this, we require the absence of local deadlocks under the strong 


Tight Cutoffs for Guarded Protocols with Fairness 


9 


fairness assumption Vp.(GFen p —> GF move p ). Since strong fairness and absence 
of local deadlocks imply unconditional fairness, we can then use the latter as an 
assumption for the original specification. 

In summary, for a parameterized specification $, we consider satisfaction of 

dll T1L71S dTG infinite A ^strong tft^dead A ^uncond ^• 

This is equivalent to “all runs are infinite” A f\ s trong(fi > ^dead A <P), but by con¬ 
sidering the form above we can separate the tasks of deadlock detection and of 
model checking LTL\X-properties, and obtain modular cutoffs. 

In the following, we present cutoffs for problems of the forms (i) A uncon d (ii) 

A strong dead and no global deadlocks (and the variants with E path quantifier). 

5 New Cutoff Results 

We present new cutoff results that extend Theorems 1 and 2, summarized in the 
table below. We distinguish between disjunctive and conjunctive systems, non¬ 
fair and fair executions, as well as between the satisfaction of LTL\X properties 
h(A, B^ k l) and the existence of deadlocks. All results hold for open systems, and 
for both path quantifiers A and E. Cutoffs depend on the size of process template 
B and the number k > 1 of i?-processes a property talks about: 



h{A,B (k) ) 
no fairness 

deadlock detection 
no fairness 

h(A,B {k) ) 
uncond. fairness 

deadlock detection 
strong fairness 

Disjunctive 

\B\+k + l 

2|B|-1 

2|B| + k - 1 

2 | B |-1 

Conjunctive 

k + 1 

2|S|-2 (*) 

k + 1 (*) 

2|B| - 2 (*) 


Results marked with a (*) are for a restricted class of systems: For conjunctive 
systems with fairness, we require infinite runs to be initializing, i.e., all non- 
deadlocked processes return to in it infinitely often. 2 Additionally, the cutoffs for 
deadlock detection in conjunctive systems only support 1-conjunctive systems. 
The reason for this restriction will be explained in Remark 4. 

All cutoffs in the table are tight no smaller cutoff can exist for this class of 
systems and properties - except for the case of deadlock detection in disjunctive 
systems without fairness. There, the cutoff is asymptotically tight, i.e., it must 
increase linearly with the size of the process template. 


Proof Structure 

To justify the entries in the table, we first recapitulate the proof structure of the 
original Theorems 1 and 2. The proofs are based on two lemmas, Monotonicity 

2 This assumption is in the same flavor as the restriction that init .4 and in its appear 
in all conjunctive guards. Intuitively, the additional restriction makes sense since 
conjunctive systems model shared resources, and everybody who takes a resource 
should eventually release it. 
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and Bounding. We give some basic proof ideas of the lemmas from [12] and 
mention extensions to the cases with fairness and deadlock detection. For cases 
where this extension is not easy, we will introduce additional proof techniques 
and explain how to use them in Sections 6 and 7. Note that we only consider 
properties of the form h(A, B h)) — the proof ideas extend to general properties 
h(A,B^) without difficulty. Similarly, in most cases the proof ideas extend to 
open systems without major difficulties — mainly because when we construct a 
simulating run, we have the freedom to choose the input that is needed. Only 
for the case of deadlock detection we have to handle open systems explicitly. 

1) Monotonicity lemma: if a behavior is possible in a system with n £ N 
copies of B 1 then it is also possible in a system with one additional process: 

(A, H) (1 ’ n) |= E h(A, H (1) ) => (A, 5) (1 ’" +1 ) [= E h(A, B (1) ), 

and if a deadlock is possible in (A, B)( 1 ’ n ' > , then it is possible in (A, _B)( 1 > Tt + 1 ). 

Proof ideas. The lemma is easy to prove for properties E h(A , B h)) in both dis¬ 
junctive and conjunctive systems, by letting the additional process stay in its 
initial state init# forever (cp. [12]). This cannot disable transitions with disjunc¬ 
tive guards, as these check for existence of a local state in another process (and 
we do not remove any processes), and it cannot disable conjunctive guards since 
they contain in its by assumption. However, this construction violates fairness, 
since the new process never moves. This can be resolved in the disjunctive case 
by letting the additional process mimic all transitions of an existing process. But 
in general this does not work in conjunctive systems (due to the non-reflexive 
interpretation of guards). For this case and for deadlock detection, the proof is 
not trivial and may only work for n > c, for some lower bound c £ N (see Sect. 6, 
7). □ 

2) Bounding lemma: for a number c £ N, a behavior is possible in a system 
with c copies of B if it is possible in a system with n > c copies of process B: 

(A, S) (1 ’ c) |= E h(A, B (1) ) -«= (A, H)(b«) |= e h{A , H (1) ), 

and a deadlock is possible in (A, _B)( 1,C ) if it is possible in (A, B)( 1,n \ 

Proof ideas. For disjunctive systems, the main difficulty is that removing pro¬ 
cesses might falsify guards of the local transitions of A or Bi in a given run 
(see Sect. 6). For conjunctive systems, removing processes from a run is easy for 
the case of infinite runs, since a transition that was enabled before cannot be¬ 
come disabled. Here, the difficulty is in preserving deadlocks, because removing 
processes may enable processes that were deadlocked before (Sect. 7). □ 

6 Proof Techniques for Disjunctive Systems 

6.1 LTL\X Properties without Fairness: Existing Constructions 

We revisit the main technique of the original proof of Theorem 1 [12]. It con¬ 
structs an infinite run y of (A, U)( 1,c ) with y |= h(A, B^), based on an infinite 
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run x of ( A,By i ’ n ' ) with n > c and x |= h(A,B W). The idea is to copy local 
runs x(A) and x(B\) into y, and construct runs of other processes in a way that 
enables all transitions along x(A) and x(B i). The latter is achieved with the 
flooding construction. 

Flooding Construction [12]. Given a run x = (si, ei,pi), (S 2 , 62 ,^ 2 ) • ■ • of 
(A, B)( 1,n \ let Visited^ (x) be the set of all local states visited by 13-processes in 

x, i.e., Visitedg(a;) = {q £ Q B \ 3m3i. s m (Bi) = q}. 

For every q £ Visitede(:r) there is a local run of (A,B)( 1,n \ say x(Bi ), that 
visits q first, say at moment m q . Then, saying that process Bi q of (A 1 33 )l 1,c ) 
floods q means: 

y{B iq ) = x(Bi)[l:m q }(q)“. 

In words: the run y(B iq ) is the same as x^Bfl until moment m q , and after that 
the process never moves. 

The construction achieves the following. If we copy local runs of A and Hi 
from x to y, and in y for every q £ Visitedg^) introduce one process that floods 
q , then: if in x at some moment m there is a process in state q ', then in y at 
moment m there will also be a process (different from A and B 1 ) in state q'. 
Thus, every transition of A and B 1; which is enabled at moment m in cc, will 
also be enabled in y. 

Proof idea of the bounding lemma. The lemma for disjunctive systems with¬ 
out fairness can be proved by copying local runs x{A) and x(B 1 ), and flooding all 
states in Visitedg^). To ensure that at least one process moves infinitely often in 

y , we copy one additional (infinite) local run from x. Finally, it may happen that 
the resulting collection of local runs violates the interleaving semantics require¬ 
ment. To resolve this, we add stuttering steps into local runs whenever two or 
more processes move at the same time, and we remove global stuttering steps in 
y. Since the only difference between x(A,Bi) and y{A,B\) are stuttering steps, 
y and x satisfy the same LTL\X-properties h(A, B^). Since |Visitedg 0*01 < \B\, 
we need at most 1 + \B\ + 1 copies of B in (A, B)( 1,c \ 

6.2 LTL\X Properties with Fairness: New Constructions 

The flooding construction does not preserve fairness, and also cannot be used to 
construct deadlocked runs since it does not preserve disabledness of transitions 
of processes A or Bi. For these cases, we provide new proof constructions. 

Consider the proof task of the bounding lemma for disjunctive systems with 
fairness: given an unconditionally fair run x of (A,B)( 1 ’ n ' > with x \= h(A,B^), 
we want to construct an unconditionally fair run y of (A, _B)( 1,C ) with y |= 
h(A, B^ 1 )). In contrast to unfair systems, we need to ensure that all processes 
move infinitely often in y. The insight is that after a finite time all processes 
will start looping around some set Visited™^ of states. We construct a run y that 
mimics this. To this end, we introduce two constructions. Flooding with evac¬ 
uation is similar to flooding, but instead of keeping processes in their flooding 
states forever it evacuates the processes into Visited 1 "-^. Fair extension lets all 
processes move infinitely often without leaving Visited™^. 
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Flooding with Evacuation. Given a subset T C B and an infinite run x = 
(si, e\,pi )... of (A, B)( 1,n \ define 

Visited^cc) = {q |3 infinitely many m: s m (Bi) = q for some Bi £ J 7 } (1) 
Visited;^ a;) = {q |3 only finitely many to: s m (Bi ) = q for some Bi € J 7 } (2) 

Let q £ Visited j^(x). In run x there is a moment f q when q is reached for the first 
time by some process from J r , denoted Bn r5tq . Also, in run x there is a moment 
l q such that: Si q (B\ astq ) = q for some process B\ astq £ J 7 , and s t (Bi) ^ q for all 
Bi £ J 7 , t > lq — i.e., when some process from T is in state q for the last time in 
x. Then, saying that process B iq of {A, B)A’ c l floods q £ Visitedy(:r) and then 
evacuates into Visited™^) means: 

y(B iq ) = x(B flrstq )[l:f q \ ■ (g) ( W*+L . x(B ]astq )[l q :m\ ■ (, q') u , 

where q' is the state in Visited™^) that x(B\ ast ) reaches first, at some moment 
to > lq. In words, process B iq mimics process Bf [rstq until it reaches q , then does 
nothing until process £>| ast starts leaving q 1 then it mimics _B| ast until it reaches 
Visited™-^®). 

The construction ensures: if we copy local runs of all processes not in T from 
x to y, then all transitions of y are enabled. This is because: for any process p of 
(A, Bp 1,c > that takes a transition in y at any moment, the set of states visible 
to process p is a superset of the set of states visible to the original process in 
(A, B)A’ n ) whose transitions process p copies. 

Fair Extension. Here, we consider a path x that is the postfix of an un¬ 
conditionally fair run x' of (A, B)^ 1,n \ starting from the moment where no lo¬ 
cal states from Visitedg^a/) are visited anymore. We construct a corresponding 
unconditionally-fair path y of (A, S)A> C ), where no local states from Visitedg(a/) 
are visited. 

Formally, let n > 2\B\, and x an unconditionally-fair path of (A, such 

that Visitedg"(a;) = 0. Let c > 2\B\, and a state of (A,.B)P’ C ) with 

— Si(Ai) = si(Ai), s^Bi) = si(Bi) 

— for every q £ Visited^ B Ja:)\Visited B ^(a;), there are two processes B iq ,B^ 
of (A, B)^ 1 ’^ that start in q , i.e., s[(Bi q ) = s’^B^) = q 

— for every q £ Visited^ Bn ( x ) P Visited B ^(x), there is one process B iq of 
(A,_B)( 1,C ) that starts in q 

— for some q* £ Visited^ B „( x ) P Visited B ^(x), there is one additional process 
of (A, B)( 1,c \ different from any in the above, called B^ t , that starts in q*. 

— any other process Bi of (A, B)( 1,c ) starts in some state of Visited^ B ( x ). 

Note that if Visited^ B S X ) P Visited B ^(a:) = 0, then the third and fourth pre¬ 
requisites are trivially satisfied. 

The fair extension extends state of (. A,B )( 1,C ) to an unconditionally-fair 
path y = (sj, e’^p’f)... with y(A\,B\) = x{A\, B\) as follows: 
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(a) y(A{) = x(Ai), y{B 1 ) = x{B{) 

(b) for every q £ Visited^ B ^(a;)\Visited B ^(:r): in run x there is Bi £ {B 2 --B n } 
that starts in q and visits it infinitely often. Let B iq and B\i of (A, £?)l 1,c ) 
mimic Bi in turns: first Bi q mimics Bi until it reaches q, then B\i mimics 
Bi until it reaches q , and so on. 

(c) arrange states of Visited^ B (x) Cl Visited B ^(x) in some order (q*, q lt ..., qi). 
The processes By t , Bi qt , Bi qi ,..., Bi qi behave as follows. Start with By t : 
when B\ enters q* in y , it carries 3 By t from q* to qi, then carries Bi from 
qi to ( 72 , ..., then carries Bi qi from qi to q*, then carries Bi qi , from q* to q±, 
then carries By t from qi to g 2j then carries B, ^ from q 2 to q 3 , and so on. 

(d) any other Bi of (A,B)( 1,C \ starting in q £ Visited B ;f Bn ( x )> mimics Bi q . 

Note that parts (b) and (c) of the constitution ensure that there is always at least 
one process in every state from Visited”^ B (x). This ensures that the guards of 
all transitions of the construction are satisfied. Excluding processes in (d), the 
fair extension uses up to 2\B\ copies of B. 4 

Proof idea of the bounding lemma. Let c=2\B\. Given an unconditionally- 
fair run x of [A, B)( 1,n ^ we construct an unconditionally-fair run y of the cutoff 
system (A,B)( 1,C ^ such that y(A,Bi) is stuttering equivalent to x(A,B 1 ). 

Note that in x there is a moment m such that all local states that are visited 
after m are in Visited^ (a:). 

The construction has two phases. In the first phase, we apply flooding for 
states in Visited^#), and flooding with evacuation for states in Visited B ”(x): 

(a) y(A) = x(A), y{B 1 ) = x{B ± ) 

(b) for every q £ Visited B ^ Bn (a:)\Visited B ^(a;), devote two processes of ( A , f?)G> c ) 
that flood q 

(c) for some q* £ Visited B f B ^(x)nVisited B ^(a;), devote one process of ( A , B)( 1,c ^ 
that floods q* 

(d) for every q £ Visited B " B S X )’ devote one process of ( A , B )( 1,c ) that floods q 
and evacuates into Visited^ B (x) 

(e) let other processes (if any) mimic process B 1 

The phase ensures that at moment m in y, there are no processes in Visitedg" (x), 
and all the pre-requisites of the fair extension are satisfied. 

The second phase applies the fair extension, and then establishes the inter¬ 
leaving semantics as in the bounding lemma in the non-fair case. The overall 
construction uses up to 2\B\ copies of B. 

3 “Process B 1 starting at moment m carries process Bi from q to q'" means: process 
Bi mimics the transitions of B 1 starting at moment m at q until B 1 first reaches q'. 

4 A careful reader may notice that if |Visited B ^(a;)| = 1 and |Visited B ^ B (a;)| = \B\, 
then the construction uses 2\B\ + 1 copies of B. But one can slightly modify the 
construction for this special case, and remove process By t from the pre-requisites. 
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6.3 Detection of Local and Global Deadlocks: New Constructions 

Monotonicity Lemmas. The lemma for deadlock detection, for fair and unfair 
cases, is proven for n > \B\ + 1. In the case of local deadlocks, process B n+ j 
mimics a process that moves infinitely often in x. In the case of global deadlocks, 
by pigeon hole principle, in the global deadlock state there is a state q with at 
least two processes in it- let process B n+ \ mimic a process that deadlocks in q. 

Bounding Lemmas. For the case of global deadlocks, fairness does not affect 
the proof of the bounding lemma. The insight is to divide deadlocked local states 
into two disjoint sets, deadi and dead 2 , as follows. Given a globally deadlocked 
run x of (A, B) l ' 1 ’ rl \ for every q £ deadi, there is a process of (A, B)( 1,n ) dead¬ 
locked in q with input i, that has an outgoing transition guarded “3g” hence, 
adding one more process into q would unlock the process. In contrast, q £ dead 2 
if any process deadlocked in q stays deadlocked after adding more processes 
into q. Let us denote the set of B-processes deadlocked in dead! by V i. Finally, 
abuse the definition in Eq. 2 and denote by Visited^,^) the set of states that 
are visited by B-processes not in V i before reaching a deadlocked state. 

Given a globally deadlocked run x of {A, B)( 1,ra ) with n > 21B| — 1, we 
construct a globally deadlocked run y of (A, B)f 1,c ) with c = 2|B| — 1 as follows: 

— copy from x into y the local runs of processes in T>\ U {A} 

— flood every state of dead 2 

— for every q £ Visitedg^^a;), flood q and evacuate into dead 2 . 

The construction ensures: (1) for any moment and any process in y , the set of 
local states that are visible to the process includes all the states that were visible 
to the corresponding process in (A,B/ 1,n ) whose transitions we copy; (2) in y, 
there is a moment when all processes deadlock in deadi U dead 2 . 

For the case of local deadlocks, the construction is similar but slightly more 
involved, and needs to distinguish between unfair and fair cases. In the unfair 
case, we also copy the behaviour of an infinitely moving process. In the strong-fair 
case, we continue the runs of non-deadlocked processes with the fair extension. 


7 Proof Techniques for Conjunctive Systems 

7.1 LTL\X Properties without Fairness: Existing Constructions 

Recall that the Monotonicity lemma is proven by keeping the additional process 
in the initial state. To prove the bounding lemma, Emerson and Kahlon [12] 
suggest to simply copy the local runs x(A) and x(B i) into y. In addition, we 
may need one more process that moves infinitely often to ensure that an infinite 
run of (A, B)d’ n ) will result in an infinite run of (A,B)( 1,C )_ All transitions of 
copied processes will be enabled because removing processes from a conjunctive 
system cannot disable a transition that was enabled before. 
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7.2 LTL\X Properties with Fairness: New Constructions 

The proof of the Bounding lemma is the same as in the non-fair case, noting 
that if the original run is unconditional-fair, then so will be the resulting run. 

Proving the Monotonicity lemma is more difficult, since the fair extension 
construction from disjunctive systems does not work for conjunctive systems - 
if an additional process mimics the transitions of an existing process then it 

disables transitions of the form q '^ q q' or q q'. Hence, we add the 

restriction of initializing runs, which allows us to construct a fair run as follows. 
The additional process B n+ \ “shares” a local run x(Bi) with an existing process 
B i of(A,B)( 1 >"+ 1 ) : one process stutters in init^ while the other makes transitions 
from x(Bi ), and whenever x(Bi ) enters init^ (this happens infinitely often), 
the roles are reversed. Since this changes the behavior of Bi , £?,; should not be 
mentioned in the formula, i.e., we need n > 2 for a formula h(A, B W). 

7.3 Detection of Local and Global Deadlocks: New Constructions 

Monotonicity lemmas for both fair and unfair cases are proven by keeping 
process B n+ i in the initial state, and copying the runs of deadlocked processes. If 
the run of (A, B)( 1,ra ) is globally deadlocked, then process B n+ i may keep moving 
in the constructed run, i.e., it may only be locally deadlocked. In case of a local 
deadlock in (A, B)( 1 ’ n ' ) , distinguish two cases: there is an infinitely moving B- 
process, or all B-processes are deadlocked (and thus A moves infinitely often). 
In the latter case, use the same construction as in the global deadlock case 
(the correctness argument uses the fact that systems are 1-conjunctive, runs are 
initializing, and there is only one process of type A). In the former case, copy the 
original run, and let B n+ i share a local run with an infinitely moving B-process. 
Bounding lemma (no fairness). In the case of global deadlock detection, 
Emerson and Kahlon [12] suggest to copy a subset of the original local runs. 
For every local state q that is present in the final state of the run, we need 
at most two local runs that end in this state. In the case of local deadlocks, 
our construction uses the fact that systems are 1-conjunctive. In 1-conjunctive 
systems, if a process is deadlocked, then there is a set of states DeadGuards that 
all need to be populated by other processes in order to disable all transitions 
of the deadlocked process. Thus, the construction copies: (i) the local run of a 
deadlocked process, (ii) for each q £ DeadGuards , the local run of a process 
that is in q at the moment of the deadlock, and (iii) the local run of an infinitely 
moving process. 

Bounding lemma (strong fairness). We use a construction that is similar to 
that of properties under fairness for disjunctive systems (Sect. 6.2): in the setup 
phase, we populate some “safe” set of states with processes, and then we extend 
the runs of non-deadlocked processes to satisfy strong fairness, while ensuring 
that deadlocked processes never get enabled. 

Let c = 2|Qs\{inits}|. Let x = (si, ei,pi)... be a locally deadlocked strong- 
fair intitializing run of (A, Bp 1,n > with n > c. We construct a locally deadlocked 
strong-fair initializing run y of (A,B)( 1,C ). 
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Fig. 1: Bounding lemma (strong fairness): Venn diagram for deadi, dead 2 , 
DeadGuards, Visiteda;). States qi,...,qe are to illustrate that the corre¬ 
sponding sets may be non-empty. E.g., in x, a process may be deadlocked 
in qi £ ( DeadGuards n deadi H Visited^,(a:)), and another process in q 3 £ 

deadi H DeadGuards\\/ isited^,(x). 

Let T> C B be the set of deadlocked B-processes in x. Let d be the moment in 
x starting from which every process in V is deadlocked. Let dead(cc) be the set of 
states in which processes V of (A, B)( 1,ra ) are deadlocked. Let dead 2 (a;) C dead(:r) 
be the set of deadlocked states such that: for every q £ dead 2 (a:), there is a 
process Bi £ V with Sd{Bi) = q and that for input e>d(Bi ) has a transition 
guarded with “V-ig”. Thus, a process in q is deadlocked with ed(B,) only if there 
is another process in q in every moment > d. Let deadi(:r) = dead(a;)\dead 2 (a;). 
Define DeadGuards to be the set 

{ q | 3 Bi £ D with a transition guarded “V-> q” in (sd(Bi),ed{Bi)) }. 

Figure 1 illustrates properties of sets DeadGuards , deadi, dead 2 , Visited^,(ar). 
In the setup phase, we copy from x into y: 

— the local run of A; 

— for every q £ deadi, the local run of one process deadlocked in q ; 

— for every q £ dead 2 , the local runs of two 5 processes deadlocked in q\ 

— for every q £ DeadGuards\ dead, the local run of a process that reaches q 
after moment d. 

— Finally, we keep one B-process in in its until moment d. 

The setup phase ensures: in every state q £ dead, there is at least one process 
deadlocked in q at moment d in y. Now we need to ensure that the non-deadlocked 
processes in DeadGuards\ dead and init^ move infinitely often, which is done 
using the looping extension described bellow. 

Order arbitrarily DeadGuards\ dead = (qi,...,qk) C Visited^/®). Let V C 
be the non-deadlocked processes of (A, B)( 1,c ) that we moved into 
(< 7 i ,... ,qk) U {inits} in the setup phase. Note that \V\ = |(gi,..., qu)\ + 1. 

5 Strictly speaking, in x we might not have two deadlocked processes in a state in 
deadi - one process may be deadlocked, others enter and exit the state infinitely 
often. In such case, there is always a non-deadlocked process in the state. Then, copy 
the local run of such infinitely moving process until it enters the deadlocked state, 
and then deadlock it by providing the same input as the deadlocked process receives. 
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The looping phase is: set i = 1, and repeat infinitely the following. 

— let B mlt £ V be the process of (A,B)( 1 ’ C ' > that is currently in init s , and 

B qi £ V be the process of (A, that is currently in qi 

— let B q . £ Visited^~(:r) be a process of (A, l?)^ 1 ’") that visits (/,; and init B 
infinitely often. Let B- lri \ t of (A, B)( 1,c ) copy transitions of B q . on some path 
init^ — > ... —» ft, then let B q . copy transitions of B q . on some path q, —> 
... —> initg. For copying we consider only the paths of B qi that happen after 
moment d. 

— i = * ® 1 


Remark f. In 1-conjunctive systems, the set DeadGuards is “static”, i.e., there 
is always at least one process in each state of DeadGuards starting from the mo¬ 
ment of the deadlock. In contrast, in general conjunctive systems where guards 
can overlap, there is no such set. However, there is a similar set of sets of states, 
such that one state from each set always needs to be populated to ensure the 
deadlock. 


8 Conclusion 


We have extended the cutoff results for guarded protocols of Emerson and 
Kahlon [12] to support local deadlock detection, fairness assumptions, and open 
systems. In particular, our results imply decidability of the parameterized model 
checking problem for this class of systems and specifications, which to the best 
of our knowledge was unknown before. Furthermore, the cutoff results can easily 
be integrated into the parameterized synthesis approach [17,20]. 

Since conjunctive guards can model atomic sections and read-write locks, 
and disjunctive guards can model pairwise rendezvous (for some classes of spec¬ 
ifications, cp. [13]), our results apply to a wide spectrum of systems models. But 
the expressivity of the model comes at a high cost: cutoffs are linear in the size 
of a process, and are shown to be tight (with respect to this parameter). For 
conjunctive systems, our new results are restricted to systems with 1 -conjunctive 
guards, effectively only allowing to model a single shared resource. We conjecture 
that our proof methods can be extended to systems with more general conjunc¬ 
tive guards, at the price of even bigger cutoffs. We leave this extension and the 
question of finding cutoffs that are independent of the size of processes for future 
research. 
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A Additional Definitions and Notation 

For a global state s of system (A, B )^ 1 ’ 71 - 1 and a local state q (of template A or B), we 
write q £ s as shorthand for 3 p £ {A, B i, B n }s(p) = q. 

For a sequence x = xi,X 2 ,... denote the subsequence between the ith and jth 
element of the sequence as x[i : j] = Xi,... ,Xj. 

By qi —? qj denote a process transition from qi to qj for input e and guarded by 
guard g. We skip the input e and guard g if they are not important or can be inferred 
from the context. 

Given system state s, let Set(s) be the set {q \ 3p : s(p) = g}. 


B Cutoff's for Disjunctive Systems 

B.l Disjunctive Systems without Fairness 

Lemma 1 (Monotonicity: Disj, Properties, Unfair). For disjunctive systems: 

Vn > 1 : 

(.A,B) (1 ' n) \= E/i(A,Bi) => (A,B) (1 ' n+1) |= E h(A, Bi). 

Proof. Given run x of (A, B) ( - 1 ’"' 1 we construct a run y of (A, B)^ 1,n+1 ^: copy x into y 
and keep the additional process in the initial state. □ 


Lemma 2 (Bounding: Disj, Properties, Unfair). For disjunctive systems: 

Vn > \B\ +2 : (A, B) (1 ’ |b|+2) |= E/i(A,Bi) 4= (A, B) (1 ’ n) \= E h(A, Si). 

The proof is from [12, Lemma 4.1.2], We recapitulate it to introduce the notion of 
“a process floods a state”, destutter, interleave, and “process mimics another process” 
which are used in our proofs later. 

Proof. Let c = |B| + 2 and n > c. Let x = (si, ei,pi), (« 2 , C 2 ,P 2 ) ■ ■ ■ be a run 
of (A,J3) (1 ’ ri l that satisfies E h(A, Bi). We construct a run y of the cutoff system 
(A, £) (1 ’ a. b. c) d. with y(A, B\) ~ x(A, Si). 

Let Visited (a;) be the set of all visited states by B-processes in run x: Visited (x) = 
{q | 3m3i : s m (B;) = q}. 

Construct the run y of (A, B)*- 1 ’ 13 ) as follows: 

a. copy runs of A and B\ from x to y. y(A) = x(A), y{B\) = x(B i) 

b. x is infinite, hence it has at least one infinitely moving process, denoted Boo. 
Devote one unique process B aa in (A, B)^ 1,c) that copies the behaviour of Boo of 
(A,B)( 1,n i : y(Boa) = x(Boo). 

c. for every q £ Visited there is a process of (A, S)^ 1,n \ denoted B;, that visits q first, 
at moment denoted m q . Then devote one unique process in {A,B) ( ' 1,C \ denoted 
Bi q , that floods q: set y{Bi q ) = x(Bi)[l:m q ](q) ul . In words: the run y{B iq ) repeats 
exactly that of x(Bi) till moment m q , after which the process is never scheduled. 

d. let any other process Bi of (A, B)A> C ) no t used in the previous steps (if any) mimic 
the behavior of B\ of (A,B)^ 1,C ^: y{Bi) = y(Bi). 
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The figure illustrates the construction. The correctness follows from the observation 
that any transition of any process at any moment m of y was done by some process in 
x at moment m and hence is enabled. Also note that if > 2 processes transit simulta¬ 
neously in y, then the guards of their transitions will be enabled even if both of them 
are removed from the state space. Note that it is possible that in y. 

— more than one process transits at the same moment. Then, interleave the transi¬ 
tions of such processes, namely arbitrarily sequentialize them. 

— at some moment no processes move. Then remove elements of the run y - the 
resulting run is denoted destutter(y). 

This construction uses j Visited j + 2 < |B| + 2 copies of B (ignoring case (d)). □ 

Tightness 1 (Disj, Props, Unfair). The cutoff in Lemma 2 is tight, i.e., for any k 
there exist process templates {A, B) with |B| = k and LTL\X formula h(A, Bi) such 
that: 

(A,B) (1 ’ |b|+2) |= E/i(A,Bi) and {A, S) (1 ’ |B|+1) ^ E h(A, Bi). 

Proof. The idea of the proof relies on the subtleties of the definition of a run: it is 
infinite (thus not globally deadlocked), and in each step of a run exactly one process 
moves. 

Consider the templates in the figure below and let E h(A, B±) = E(F 3si A F G(2si A 
end a))- In words: there exists a run in a system where process Bi visits 3 s and process 
B i with A eventually always stay in 2 b and end a- 



start start 


(a) Template A (b) Template B 


We need one process in every state of B to enable the transitions of A to all a- 
Only when A in all a, B i can move 3s — > Is, and then at some point to 2s- After B i 
moves 3s —► Is, A moves all a —► end a which requires process B^\ in 3s- Finally, to 
make the run infinite there should be at least two processes in \B\ b . □ 
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Lemma 3 (Monotonicity: Disj, Deadlocks, Unfair). For disjunctive systems: 

Vn > |£?| + 1 : (A, B) ( ' 1 ’ n ^ has a deadlock => (A, _B)( 1 ’"+ 1 ) /j as a deadlock 

Proof. Given a deadlocked run x of (A , £?)( 1,n) we build a deadlocked run of (A, B) ( - 1 ’ n+1 \ 
If the run x is locally deadlocked, then it has at least one infinitely moving process, thus 
let the additional process mimic that process. If the run x is globally deadlocked run, 
then due to n > |£?| in some state there are at least two processes deadlocked. Thus, 
let the new process mimic a process deadlocked in that state - the run constructed will 
also be globally deadlocked. □ 

Lemma 4 (Bounding: Disj, Deadlocks, Unfair). For disjunctive systems: 

— with c = \B\ + 2 and any n > c: 

(A, B)^ 1 ’ c ' > has a local deadlock 4= (A, £>) ( T n * has a local deadlock 

— with c = '2\B\ — 1 and any n > c 

(A, _B) (1 ’ C ^ has a global deadlock <= (A, B) (1,n ^ has a global deadlock 

— with c = '2\B\ — 1 and any n > c: 

(A, B)^ 1 '^ has a deadlock <= (A, B)^ 1 ’") has a deadlock 

Proof. Given a (globally or locally) deadlocked run of (A, fj)* 1,n) we construct (globally 
or locally) deadlocked run of (A, B)^ 1,c \ where c depends on the nature of the given 
run. We do this using the construction template. 

Let B = {Bi,..., B n }. The template depends on set C C {Bi,..., B c }: 

a. set y(A) = x(A) 

b. for every Bi £ C, set y(Bi) = x(Bf) 

c. for every q £ Visited^(a:), devote one process of (A, B)^ 1 ’^ that floods q 

d. for every q £ Visited^.(a;), devote one process of (A, B)^ 1,c ^ that floods q and then 
evacuates into Visited^(a:) 

e. let other processes (if any) mimic some process from (c) 

1) Local Deadlock. We distinguish three cases: 

la) A deadlocks, B i moves infinitely often 

lb) A moves infinitely often, B\ deadlocks 

lc) A neither deadlocks nor moves infinitely often, B i deadlocks, £>2 moves infinitely 
often. 

la: “A deadlocks, £>1 moves infinitely often”. 

Let c = |B| + 1, and C = {Bi}. Note that Visited^ bS x ) ^ The resulting 
construction uses |Visited^” B (*)| + jVisited^ B (x)| + 1 < |B| + 1 copies of B. 

lb: “A moves infinitely often, B 1 deadlocks”. 

Let c = |B| + 1, and C = {£> 1 }. Let q± be the state in which B\ deadlocks. 
Instantiate the construction template. 
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Process B\ of (A, B)^ 1 ’^ is deadlocked in y starting from some moment d, because 
any state it sees (in Visited™-^ B ( x )) was also seen by Bi in (A, B) < - 1 ’ n ' > in x at some 
moment d! > d (note that d! may be not the same moment as d). 

lc: “ A neither deadlocks nor moves infinitely often, B\ deadlocks, £>2 moves infinitely 
often”. 

Instantiate the construction template with c = |B| + 2 and C = {Bi, B 2 }. 

Finally, \B\ +2 is a (possibly not tight) cutoff for local deadlock detection problem. 

2) Global Deadlock. Let x = (s 1 , ei,pi)...(sd, e d , -L) be a globally deadlocked run of 
(A, B)^ l,n ^ with n > c. 

Let us abuse the definition of Visited ^(a;) and Visited^®), in Eq. 1 and 2 resp., and 
adapt it to the case of finite runs. To this end, given a finite run x = (si, ei,pi)...(sd, ed, T), 
extend it to the infinite sequence (si, ei,pi)...(sd, e,j,-L)“, and apply the definition of 
Visited™^*) and Visited^-"(x) to the sequence. 

Let 27 1 be the set of processes deadlocked in unique states: Vp £ 27 1 /3 p' ^ p : 
Sd{p') = Sd{p)- Instantiate the construction template with C = T>\ and c = 2\B\ — 1. 6 

3) Deadlocks. As the cutoff for the deadlock detection problem we take the largest 
cutoff in (l)-(2), namely, 2\B\ — 1, but it may be not tight - finding the tight cutoffs 
for local deadlock and for deadlock detection problems is an open problem. 

□ 

Tightness 2 (Disj, Deadlocks, Unfair). The cutoff c = 2\B\ — 1 for deadlock detection 
in disjunctive systems is asymptotically optimal but possibly not tight, i.e.: for any k 
there are templates ( A,B) with |B| = k such that: 

(A, J3)( 1 ’l s l- 1 ) does not have a deadlock, but (A, does. 

Proof. The figure below illustrates templates ( A , B) to prove the asymptotical opti¬ 
mality of cutoff 2\B\ — 1 for deadlock detection problem. Template A is any that never 
deadlocks. The system has a local deadlock only when there are at least |B| copies of 
B, which is a constant factor of 2\B\ — 1. □ 



B.2 Disjunctive Systems with Fairness 

Lemma 5 (Monotonicity: Disj, Props, Fair). For disjunctive systems: 

Vn > 1 : 

(A, B) (1,n) |= E uncond h(A, B!) => (A, S) (1,n+1) [= E uncond h(A,Bi), 


2\B\ — 1 copies is enough, because: Visitedg^ c (a;) D Visited^(a') = 0, Visited^(a:) Ci 
Visited™^) = 0, and if Visited^.(x) 7 ^ 0, then Visited^(a;) 7 ^ 0. 
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Proof. In run x of (A, with n > 1 all processes move infinitely often. Hence let 

the run y of ( A , _B) ll,n+1) copy x, and let the new process mimic an infinitely moving 
B process of (A, B) (1 ’ n) . □ 


Lemma 6 (Bounding: Disj, Props, Fair). For disjunctive systems: 

Vn > 2|B| : 

{A, B) (1 ' 2|s|) |= E uncond h(A, B 1 ) 4= (A, B) (1 ’ n) |= E u „ cond h(A, Bf), 


The proof was given in the main text, in Section 6.2. 

Tightness 3 (Disj, Props, Fair). The cutoff in Lemma 6 is tight, i.e., for any k there 
exist process templates (A, B) with |S| = k and LTL\X formula h(A,B i) such that: 

(A,B) (1 ' 2|S|) |= E h(A, Bi) and (A, B) (1 ' 2|b|_1) E/i(A,Bi). 

The proof was described in the main text, in Section 6.2. 

Proof. Consider process templates A, B in the figure below and property Etrue. □ 



(a) Template A 



(b) Template B 


Lemma 7 (Monotonicity: Disj, Deadlocks, Fair). For disjunctive systems, on strong- 
fair or finite runs: 

Vn > \B\ + 1 : (A, has a deadlock => (A, _B) tl,n+1 ' ) has a deadlock 

Proof. See proof of Lemma 3. □ 

Lemma 8 (Bounding: Disj, Deadlocks, Fair). For disjunctive systems, on strong-fair 
or finite runs: 

— with c = 2\B\ — 1 and any n > c: 

(A,B) (1,c) has a local deadlock <= (A, B) (1,n ^ has a local deadlock 

— with c = 2 |B| — 1 and any n > c 

(A, B) t ' 1,c ' > has a global deadlock 4= (A, U)A> n ) fo as a global deadlock 

— with c = 2\B\ — 1 and any n > c: 

(A, B) (1,c ) has a deadlock <= (A, B) (1 ’ n ^ has a deadlock 
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Proof. If (A, has a global deadlock, then the fairness does not influence the 

cutoff, and the proof from Lemma 4, case “Global Deadlocks”, applies giving the cutoff 
2\B\ — 1. Hence below consider only the case of local deadlocks. 

Given a strong-fair deadlocked run x of (A, B)^ 1,n \ we first construct a strong-fair 
deadlocked run y of (A, with c = 2\B\ and then argue that c can be reduced 

to 2|B| — 1. The construction is similar to that in Lemma 4 - the differences originate 
from the need to infinitely move non deadlocked processes. 

Let dead <2 (x) be the set of deadlocked states in the run x that are only deadlocked if 
there is no other process in the same state, and let Hi be the set of processes deadlocked 
in the run x in dead< 2 (*). Let dead 2 (o:) be the set of states that are deadlocked in the 
run x even if there is another process in the same state. 

Notes: 

— |Hi| = | dead< 2 (as) | < \B\ 

— dead< 2 (a:) n dead 2 (*) = 0 

— Visited^-,^*) n dead < 2 (x) ^ 0 is possible, because a state from Visited^-,^*) can 
first be visited by a process in B\V i, and later deadlocked by the process in Hi. 

— dead 2 (*) C Visited^ )1 (a;), and hence Visited^-, i (x) D dead 2 (®) = 0. 

The construction has two phases. The first phase: 

a. for every p £ {>1} U Hi, set y(p) = x(p) 

b. for every q £ dead 2 (a;), devote one process of (A, that floods it 

c. for every q £ Visited^-, i (a:)\dead 2 (a;), devote two processes of (A, that flood 

it 

d. for every q £ Visited^-,^*), devote one process of (A,H) (1,C ) that floods it and 
then evacuates into Visited^L(a;) 

e. let other processes (if any) mimic some process from (c) 

After this phase all B processes will be in Visited^,^*) U dead< 2 (a;). 

The second phase applies to processes in Visited^, i (a:)\dead 2 ( 2 ;) the fair extension 7 . 
How many processes does the construction use? Note that the sets dead< 2 (a;) U 
Visited^ Di (a:), dead 2 (a:), Visited^, i (a:)\dead 2 (a:) are disjoint, thus: 

IVisited^,^*)! + |dead< 2 (a:)| + |dead 2 (a?)| + 2|Visited^, i (a;)\dead2(a;)| < (3) 
2|Visited^ E , i (2;) U dead< 2 (a;)| + |dead 2 (a:)| + 2|Visited^, i (a;)\dead2(a;)| < (4) 
\B\ + |Visitedg^, i (a;) Udead< 2 (a;)| + |Visited^ >i (a;)\dead 2 (a;)| < 2|B 

Let us reduce the estimate to < 2|H| — 1: 

— assume that dead 2 (a;) = 0 (otherwise, Eq.3 and the sets disjointness give 2|B| — 1) 

— assume that Visited^L^a;) 0 (the other case together with eq.4, the sets disjoint¬ 
ness, and the first item gives 2|H| — 1) 

1 The fair extension requires run x to be unconditionally-fair, but here we have a run 
in which all processes that are not deadlocked move infinitely often. To adapt the 
construction to this case: copy local runs of processes {A} U Hi, and do not extend 
local runs of processes that are in state in dead 2 . 
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— hence, the construction in step (d) evacuates the process in q £ Visited^-,^®) into 
Visited^-, i (a;)\dead 2 (a;). Hence modify step (c) of the construction and for q devote 
a single process of (A, B) (1 ’ c ) that floods it. This will give < 2|B| — 1. 

This concludes the proof. □ 


Tightness 4 (Disj, Deadlocks, Fair). The cutoff c = 2|B| — 1 for deadlock detection 
in disjunctive systems on strong-fair or finite runs is tight, i.e.: for any k there are 
templates ( A,B ) with \B\ = k such that: 

(A, does not have a deadlock, but (A, 5 )( 1 > 2 I S I- 1 ) does. 

Proof. The figure below shows process templates (A, B ) such that any system (A, _B) (1 . n ) 
with n < 2\B\ — 2 does not deadlock on strong-fair runs, but larger systems do. □ 




C Cutoffs for Conjunctive Systems 

C.l Conjunctive Systems without Fairness 

Lemma 9 (Monotonicity: Conj, Props, Unfair). For conjunctive systems, 

Vn > 1 : {A, B) (1 ’ n) |= E h(A, Bi) (A, B) (1 ' n+1) |= E h{A, B 1 ). 
Proof. Let the new process stutter in in it state. 


□ 


Lemma 10 (Bounding: Conj, Props, Unfair). For conjunctive systems, 

Vn> 2 : (A,B) (1 ’ 2) fy E/i(A,Bi) 4= {A, B) (1 ’ n) |= E h(A, Bi). 

Proof. The proof is inspired by the first part of the proof of [12, Lemma 5.2]. 

Let x = (si, ei,pi)(s 2 , e 2 ,P 2 ) ... be a run of (A, B)^ 1,n \ Note that by the semantics 
of conjunctive guards, the transitions along any local run of x will also be enabled in 
any system (A,B) (1 ’ C ^ with c < n, where the processes exhibit a subset of the local 
runs of x. Thus, we obtain a run of (A, B)*- 1 ’ 1 ^ by copying a subset of the local runs of 
x, and removing elements of the new global run where all processes stutter. 

Then, based on an infinite run x of the original system, we construct an infinite 
run y of the cutoff system. Let y(A) = x(A) and y(B i) = x{B\). The second copy of 
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template B in (A, B)^ 1 ’ 2 ^ is needed to ensure that the run y is infinite, i.e., at least 
one process moves infinitely often. If both x(A) and x(B i) eventually deadlock, then 
there exists a process Bi of (A,By 1,n ^ that makes infinitely many moves, and we set 
y^Bo) = x(Bi). Otherwise, we set y(B2 ) = x(B2). □ 

Tightness 5 (Conj, Props, Unfair). The cutoff c= 2 is tight for parameterized model 
checking of properties Eh(A,Bi) in the 1-conjunctive systems, i.e., there is a sys¬ 
tem type (A, B) and property Eh(A, Bi) which is not satisfied by (A, B)^ 1 ' 1 ' 1 but is by 
(A,B) (1 ’ 2) . 

Proof. The figure below shows templates ( A,B ), Eh(A, B\) = E F b. An infinite run 
that satisfies the formula needs one copy of B that stays in the initial state, and one 
that moves into b. □ 



(a) Template A 



(b) Template B 


Lemma 11 (Monotonicity: Conj, Deadlocks, Unfair). For conjunctive systems: 

Mn > 1 : (A, _B)l 1,n l has a deadlock => (A, .B) (1,rl+1> has a deadlock 

Proof. Given a deadlocked run x of {A, B) < ' 1 ’ n \ we construct a deadlocked run of 
(A, B)( 1,n+1 \ Let y copy run x, and keep the new process in init. If x is globally 
deadlocked and d is the moment when the deadlock happens in x, then schedule the 
new process arbitrarily after moment d. □ 

Lemma 12 (Bounding: 1-Conj, Deadlocks, Unfair). For 1-conjunctive systems: 

— with c = 21 Qs \{init} | and any n > c 8 

(A, B)^ 1 ’^ has a global deadlock 4= (A, B) ( ' 1 ’ n ' > has a global deadlock 

— with c = |Qs\{init}| + 2 and any n > c: 

(A, B)^ 1 ’^ has a local deadlock 4= (A, B) 1 - 1 ’"- 1 has a local deadlock 

— with c = 21 Qs \{ init} | and any n > c: 

(A, B)^ 1,c ^ has a deadlock 4= (A, B)^ 1 ’^ has a deadlock 

Proof. The proof is inspired by the second part of the proof of [12, Lemma 5.2], but in 
addition to global we consider local deadlocks. 

Global Deadlocks. Let c = 2\Qb \ {i n it}|) . Let run x = (si, ei,pi)... (sd, e^, -L) of 
(A, _B)U. ?1 ) w ith n > c be globally deadlocked. We construct a globally deadlocked run 
y in (A, B) (1,c) : 


This statement also applies to systems without restriction to 1-conjunctive guards. 
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a. for every q £ Set(sd) \ {init}: 

• if Sd has two processes in state q , then devote two processes of (A, B) (1,c ) that 

mimic the behaviour of the two of (A, correspondingly 

• otherwise, Sd has only one process in state q , then devote one process of 
(A, B )^ 1,c ^ that mimics the process of ( A , B) (1 ”d 

b. for any process of (A, B ) (1 ’U not used in the construction (if any): let it mimic an 
arbitrary B-process of (A, B)*- 1 ’™) not used in the construction (including (b)) 

The construction uses (if ignore (b)) < 2|Qs\{init}| processes B. Note that the proof 
does not assume that the system is 1-conjunctive. 

Local Deadlocks. Let c= |Qs\{init}| +2. Let run x = (si, ei,pi)... of (A, B)*- 1 ’ 71 ) 
with n > c be locally deadlocked. We will construct a run y of (A, B) (1,c ) where at 
least one process deadlocks and exactly one process moves infinitely often. 

Wlog. we distinguish three cases: 

1. A moves infinitely often in x, and Bi deadlocks 

2. A deadlocks, and Bi moves infinitely often 

3. A neither deadlocks nor moves infinitely often, Bi deadlocks, B 2 moves infinitely 
often 

1. “A moves infinitely often in x, and Bi deadlocks”. 

Let q±,e± be the deadlocked state and input of B 1 in x, and let d be the moment 
from which B 1 is deadlocked. 

Let DeadGuards = {qi, ■ - - ,qk} be the set of states such that for every qi £ 
DeadGuards there is an outgoing transitions from q± with ex guarded “V~i qi ", and as¬ 
sume DeadGuards ^ 0 (if it is empty, then we keep every process in init until someone 
reaches q± and then schedule the rest arbitrarily). (Recall that qi £ Qb U Qa)- 
The construction is: 

a. y(A) = x(A), y(Bi) = *(Bi) 

b. for each q £ DeadGuards, at moment d in x there is a process p q in state q. If 
p q £ {B 1 , ...,B„}, then let one process of (A,B)( 1,C ) mimic it till moment d, and 
then stutter in q. 

c. let other processes of (A.B)*' 1 ’ 0 ) (if any) stay in init. 

The construction uses (if ignore (c)) < |Qs\{init}| + 1 processes B. 

Note: the assumption of 1-conjunctive systems implies that, in order to deadlock 
Bi, we need a process in each state in BlockGuards. This implies that having a process 
in each state of BlockGuards does not disable any A’s transition after moment d. 

2. “A deadlocks, and B 1 moves infinitely often”: use the construction from (1). 

3. “A neither deadlocks nor moves infinitely often, B 1 deadlocks, B 2 moves infinitely 
often”. Use the construction from (1), and additionally: y(B 2 ) = x(B 2 ). Thus, the 
construction uses (if ignore (c)) < |Qs\{ init} | +2 processes B. 

Deadlocks. Take the higher value among the cases considered above c = 2|Qs\{i nit} |: if 
x is locally deadlocked then the monotonicity lemma ensures that there is a deadlocked 
run in (A,B) (1 ’ c) . □ 

Tightness 6 (1-Conj, Deadlocks, Unfair). The cutoff c = 2|B| — 2 is tight for parame¬ 
terized deadlock detection in the 1-conjunctive systems, i.e., for any k there is a system 
type (A, B) with |B| = k such that there is a deadlock in (A, B) (1,2 ^~' 2) , but not in 
(A,B) (1 ’ 2 1*'- 3 ). 
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Proof. The figure below provides templates (A, B) that proves the observation. In the 
figure the edge with V—>&i,..., V—> 6 *; denotes edges with guards V—>i»i,..., V-> bk- To get 
the global deadlock we need at least two processes in each bi £ { 61 ,..., b^}. Note that 
the system does not have local deadlocks. □ 



(a) Template A 


start 



V-ilfl, ..., : 

: i 

(b) Template B 


C.2 Conjunctive Systems with Fairness 

In this section, subscript i in path quantifiers, E, and A,, denotes the quantification 
over initializing runs. 

Lemma 13 (Monotonicity: Conj, Props, Fair). For unconditionally-fair initializing 
runs of conjunctive systems: 

Vn > 2 : 

(A,B) (1 ’ n) |= E uncond , i h(A,B 1 ) => (A,B) (1 '" +1) |= E uncondA h{A, Bi). 

Proof. Given a unconditionally-fair initializing run x of (A, B)^ 1,n \ we construct a 
unconditionally-fair initializing run y in (A, B) < - 1 ’ n+1 \ with one additional process p. 
First, copy all local runs of all processes of (A, B)^ 1,n ^ from the run x into y. Then, let 
process p' stutter in init until some other process p ^ Bi enters init. Then, exchange 
the roles of processes p' and p: let p stutter in init, while p' takes the transitions of 
p from the original run, until it enters init. And so on. In this way, we continue to 
interleave the run between p' and p, and obtain a unconditionally-fair initializing run 
for all processes, with y(A,Bi) = x(A,Bi). Thus, if (A,B)^ 1 ’ n ^ |= Eh(A, Bi), then 
(A,B) (1 ’" +1) |= Eh(A,Bi). □ 

Lemma 14 (Bounding: Conj, Props, Fair). For unconditionally-fair initializing runs 
of conjunctive systems: 

Vn > 1 : 

(A, B) (1,1) |= E unco „d h(A, Bi) 4= (A,B) (1,n) |= E uncond h(A,B\) 

Proof. Given an unconditionally-fair [initializing] run x of (A, B)*- 1 ’ 11 ^ with n > c con¬ 
struct an unconditionally-fair [initializing] run y in the cutoff system (A, B)^ 1,1 ^: copy 
the local runs of processes A, B\. □ 

Tightness 7 (1-Conj, Props, Fair). The cutoff c = 2 is tight for parameterized model 
checking of E/i(A, B\) on unconditionally-fair initializing runs in 1-conjunctive sys¬ 
tems, i.e., there is a system type ( A, B) and property Eh(A, B\) which is satisfied by 
(A, B) (1,1) but not by (A,B) (1 ’ 2) . 
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(a) Template A 



(b) Template B 


Proof. The figure below shows (A, B), E h(A, B\) = E FG (binit —> ai). □ 


Lemma 15 (Monotonicity: Conj, Deadlocks, Fair). For 1-conjunctive systems on 
strong fair initializing or finite runs: 

Mn > 1 : (A, B) 1 ' 1 ’ 71 ^ has a deadlock => (A, B) (1,rl+1> has a deadlock 

Proof. Let i be a globally deadlocked or locally deadlocked strong-fair initializing run 
of (A,B)( 1 ’ n \ We will build a globally deadlocked or locally deadlocked strong-fair 
initializing run of (A, 

If x is finite, then y is the copy of x, and the new process stays in inits until every 
process become deadlocked, and then is scheduled arbitrarily. Note that y constructed 
this way may be locally deadlocked rather than globally deadlocked as x is. 

Now consider the case when x is locally deadlocked strong-fair initializing. 

Let V be the set of deadlocked B-processes in x, and d be the moment when the 
processes become deadlocked. 

Consider the case Visited^^i) ^ 0: copy x into y, and let the new process B n +\ 
wait in inits and interleave the roles with a process B that moves infinitely often in x, 
similarly to as described in the proof of Lemma 13. 

Consider the case Visited^(a:) = 0: every B process of (A, B) (1 ’") is deadlocked 
and thus T> = B. Define 

DeadGuards = { q | 3 P G T> with a transition guarded in (sd(P),ed{P)) }■ 

Note that QAFlDeadGuards = 0, because A visits infinitely often initA and we consider 
1-conjunctive systems. Hence, copy x into y, and let the new process B n +i wait in inits 
until every process B i, ...,B n become deadlocked, and then schedule B n + 1 arbitrarily. 

□ 


Lemma 16 (Bounding: 1-Conj, Deadlocks, Fair). For 1-conjunctive systems on strong- 
fair initializing or finite runs: 

— with c = 21 Qs \{init}| and any n > c: 

(A, B)^ 1,c ^ has a global deadlock <= (A, B) ( ' 1 ’ n ' > has a global deadlock 

— with c = 21 Qs\{init}| + 1 and any n > c (when \Qb\ > 2): 

(A,B) (1 ' c) has a local deadlock <= (A, B) (1,n ^ has a local deadlock 

— with c = 2 |Qs\{init}| and any n > c: 

(A, B) (1,c ) has a deadlock <= (A, B) (1,n ^ has a deadlock 
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Proof. Global Deadlocks, c = 2|Qs\{inits}|, see Lemma 12, the fairness does not 
matter on finite runs. 

Local Deadlocks. Let c = 2|Qs\{inits}|. Let x = (si,ei,pi)... be a locally dead¬ 
locked strong-fair intitializing run of with n > c. We construct a locally 

deadlocked strong-fair initializing run y of (A, £?) (1,c '. 

Let V be the set of deadlocked processes in x. Let d be the moment in x starting 
from which every process in T> is deadlocked. 

Let dead(a:) be the set of states in which processes T> of ( A , are deadlocked. 

Let deada(a;) C dead (a;) be the set of deadlocked states such that: for every q £ 
dead 2 (a:), there is a process P £ V with Sd{P) = q and that for input e>d{P) has a 
transition guarded with “V->q”. Thus, a process in q is deadlocked with ed (P) only if 
there is another process in q in every moment > d. 

Let deadi(s) = dead(a;)\dead 2 (:E). I.e., for any q £ deadi(x), there is a process P 
of (A, B) l - 1 ' n ' > which is deadlocked in Sd(P) = q with input ed(P ), and no transitions 
from q with input ea{P) are guarded with “V-'g”. 

Define 

DeadGuards = { q | 3 P £ T> with a transition guarded “V-i q” in (sd(P),ed{P)) }■ 

We illustrate properties of sets DeadGuards, deadi, dead 2 , Visited^-/®) in Fig. 2. 

Let us assume DeadGuards y= 0 - the other case is straightforward. 

The construction has two phases, the setup and the looping. The setup phase is: 

a. y(A) = x(A) 

b. for every q £ deadi: devote one process of (A,B)^ 1,C> that copies a process of 

(A, deadlocked in q 

c. for every q £ dead 2 \ Visited^,(a;): devote two processes of {A, B) ( ' 1 ’ c ' > that copy 

the behaviour of two processes of (A, B) l ' 1 ' n ' > that deadlock in q 

d. for every q £ dead 2 n Visited^/a;): in x, there is a process, B£ B\D, that visits 
q infinitely often, and there is a process, B^ £ dead 2 , deadlocked in q. Then: 

1. devote one process of (A, B )l 1,c l that copies the behaviour of B^ 

2. devote one process of {A,B)^ 1,C ' that copies the behaviour of B until it 
reaches q at a moment after d, and then provide the same input as Bq receives 
at moment d. This will deadlock the process. 

e. for every q £ DeadGuards \ dead: note that q £ Visited^-,(*) and, thus, there is a 

process, B™f £ B\D, that visits q infinitely often. Devote one process of (A, B)^ 1,c ^ 
that copies the behaviour of B until it reaches q at a moment after d 

f. if DeadGuards \ dead ^ 0 or A £ V, then devote one process that stays in init_B- 

The process will be used in the looping phase to ensure that the run y is infinite, 
and that every process of (A, used in (e) moves infinitely often (and thus y 

is strong-fair). 

g. let any other process of (A, B )( 1,c l (if any) copy behaviour of a process of (A, _B) (1 .™) 
that was not used in the construction so far (including this step) 

The setup phase ensures: in every state q £ dead, there is at least one process deadlocked 
in q at moment d in y. Now we need to ensure that the non-deadlocked processes 
described in steps (e) and (f) move infinitely often. 

The looping phase is applied to processes in (e) and (f) only 3 . Order arbitrarily 
DeadGuards \dead = (qi ,..., qt) C Visited^,( x). Note that inits ^ (qi,..., qk). Let V be 
the set of processes of (A, B )W C ) usec j i n steps (e) or (f). Note that \V\ = |(qi,..., ) | -I-1. 

3 If there are no such processes, then the setup phase produces the sought run y. 
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Fig. 2 : Venn diagram for sets DeadGuards, dead!, dead 2 , Visitedg’^x): 

(gi) deadi n DeadGuards n Visited^(x) 7^ 0 is possible: in x, there is a 
process deadlocked in state gi, there is a non-deadlocked process that 
visits qi infinitely often, and there is a process deadlocked in a state 
q 7^ qi with a transition guarded “V-igi” 

(g 3 ) deadin.DeadGuards\Visited^,(:r) 7^ 0 is possible: similarly to gi, except 
that no non-deadlocked processes visit g 3 infinitely often 
(g 2 ) deadi \ (Visited^(x) U DeadGuards) 7^ 0 is possible: in x, there is a 
process deadlocked in state g 2 , no other processes visit g 2 infinitely often, 
and no processes are deadlocked with a transition guarded “V^g 2 ” 

(g4) DeadGuards\ dead 7^ 0 is possible: there is a process deadlocked in a 
state g 7^ g4 with a transition guarded “\7Gg4” 

(gs) dead 2 (~l Visited^,(x) n DeadGuards 7^ 0 is possible: there is at least one 
process deadlocked in gs with a transition guarded “V^gs”, and some 
non-deadlocked process visits g.5 infinitely often (this process does not 
deadlock in gs, because in gs it receives an input different from that of 
the deadlocked processes) 

(g 6 ) dead 2 nZJeadGuards\Visited^(x) 7^ 0 is possible: similarly to g 5 , except 
no non-deadlocked processes visit g@ infinitely often 


The looping phase is: set i = 1, and repeat infinitely the following. 

— let Pmit £ V be the process that is currently in inks, and P 9i £ V - in qi 

— let B qi £ Visited^-,)®) be a process of (A, P)*- 1 ” 1 ) that visits qi and inits infinitely 

often. Let P„it of ( A , copy transitions of B qi on some path inks gt, 

then let P gi copy transitions of B qi on some path <j; — > ... — > i n its - For copying 
we consider only the paths of B qi that happen after moment d. 

— i = i © 1 

The number of copies of B that the construction uses in the worst case is (if ignore 
(g), assume Qb > 2, DeadGuards\dead = 0, and A £ V): 

1 (/) + 2|dead 2 |( c ),(d) + |deadi| (&) < 2|Q s \{init s }| + 1. 

Deadlocks. The largest value of c among those for “Local Deadlocks” and for “Global 
Deadlocks” can be used as the sought value of c for the case of general deadlocks. But 
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it will not be the smallest one. In the proof of the case “Local Deadlocks”, in the setup 
phase, item (e) can be modified for the case when A £ T>: since we do not need to 
ensure that y is infinite, we avoid allocating a process in state inits. For a given locally 
deadlocked strong-fair run, the setup phase may produce the globally deadlocked run, 
but that is allright for the case of general deadlocks. With this note, for the general 
case c = 2|Qs\{inits}|. □ 

Tightness 8 (1-Conj, Deadlocks, Fair). The cutoff c = 2\B\ — 2 is tight for deadlock 
detection on strong-fair initializing or finite runs in the 1-conjunctive systems, i.e., for 
any k > 2 there is a system type (A, B) with \B\ = k such that there is a strong-fair 
initializing deadlocked run in (A, 5)( 1 ’ 2 I s I -2 ) j but not in (A, 

Proof. Consider the same templates as in Observation 6 . □ 



